This document is a synopsis of the black hat hack by Phineas Phisher against Hacking Team
I was led to this story via a YouTube video of a Will Schroder (Harmj0y) presentation called “Offensive Active Directory”, available here, where he made reference to the hack. The full write up of Phineas’s hack is available here and certainly makes for an interesting and educational read.
Hacking Team (HT) are an Italian CyberSecurity company that produce a “Remote Control Systems” (RCS) platform that is an Offensive Security “Remote Access Trojan” (RAT) or “Remote Access Monitoring” platform. Hacking Team purport to only provide their products to approved end users (Governments and Law Enforcement Agencies), but they have had questionable dealings with regimes who have had less than exemplary human rights records and low tolerance towards public criticism and dissent. See here for more information. This document is not about HT´s ethics, business practices or customers or Phineas’s motivations, morally justified or not. It is simply a high level overview of Phineas Phisher’s methodology.
Phineas’s guide starts with Operational Security (OPSEC) considerations. He advises encryption of hard drives. The use of a virtual machine (VM) such as Whonix or Tails in conjunction with the ToR network, not using use your home Internet connection and using a VPN connection is also recommended. Finally he suggests that any purchases should be made via BitCoin. This ToR connection was used by Phineas to establish a connection to the hacking infrastructure used to attack HT.
Because HT are an IT Security company, Phineas decided not to attack via social engineering because of his perceived low probability of success. After extensive enumeration of HT’s small public Internet presence Phineas gained an initial foothold in HT’s internal network through a zero day exploit in an undisclosed embedded device e.g. a Router, or an IP Camera that was accessible via the public Internet. He tested the exploit against other unrelated organisations that used the same technology in order to refine the process and to test the various embedded post exploitation tools that he had installed onto the devices firmware.
Once Phineas had a foothold in the internal network the process of enumeration began again. Using Nmap and Responder.py he discovered several Mongodb instances, but these proved of limited interest. Phineas’s real breakthrough came from the discovery of insecure backups of virtual machines (VMs). Phineas was able to remotely mount the Virtual Machine Disc .vmdk file on his Virtual Private Server (VPS) via port forwarding, and then mount and explore the contents of the VM hard disk. Within the backups Phineas discovered an Exchange EMail server VM which held the most interest. It was too large to download but Phineas was able to mount the VM hard disk remotely and search for content to leverage.
Phineas was able to garner a “besadmin” username and password from a Registry Hive of the Exchange VM backup using lsadump. After testing the credentials were still valid on the server at address 192.168.100.51 Phineas used Metasploits psexec_psh to invoke a Meterpreter revserse_shell. Then, by using creds_wdigest, he harvested more clear text account details including the Domain Admin password. With the Domain Admin credentials Phineas was able to access the Live Exchange server and download email using PowerShell. Besides email access Phineas was also able to download the File Server contents using SMBClient.
With regards to ensuring Persistence Phineas advises readers against using techniques such as a scheduled task creation as that can leave detectable footprints. Having local Administrator level access on a machine, Phineas was able to use Mimikatz and the MS14-068 Kerberos Vulnerability to create a “golden ticket” which would provide a means of residual access to machines on the Internal network. He also had an extensive list of passwords and he ran exploit code on several High-Availability servers (servers that don’t reboot very often). By running the code in RAM and not “touching disk” detection capabilities were reduced.
The final crown jewels of the HT network were the source code for their RCS platform. Phineas identified an isolated network. Having identified the System Administrators Phineas discovered that one of the sys admins Mauro Romeo had a TrueCrypt volume, but no open ports on his system. As Phineas had Domain Level access already, he was able to open the WMI port and create a Meterpreter session. Once Romeo mounted the TrueCrypt volume Phineas copied off the files. Within the exfiltrated data Phineas discovered a password file that allowed access to the isolated network via a Nagios Server used for monitoring purposes.
As a final act, Phineas was able to reset HTs Git Repos and Twitter accounts passwords. As he already had email access he could use the “forgot my password” recovery functions on these accounts.
The author of this document has no opinion on the morality of Phineas´s actions or motivations. But the author is sure that if an IT Security company such as Hacking Team can be infiltrated to the level that Phineas Phisher infiltrated them, the average company is in a weak and dangerous position to a motivated attacker.
Mark WH 7/12/2018